diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
index 10c7717383..d83b681602 100644
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -154,6 +154,10 @@ func (b *backend) pathPolicyRead(
"deletion_allowed": p.DeletionAllowed,
"min_decryption_version": p.MinDecryptionVersion,
"latest_version": p.LatestVersion,
+ "supports_encryption": p.Type.EncryptionSupported(),
+ "supports_decryption": p.Type.DecryptionSupported(),
+ "supports_signing": p.Type.SigningSupported(),
+ "supports_derivation": p.Type.DerivationSupported(),
},
}
diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md
index 0010fbcefc..f603c038d4 100644
--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@@ -86,13 +86,17 @@ the settings of the "foo" key by reading it:
```
$ vault read transit/keys/foo
Key Value
-type aes256-gcm96
-deletion_allowed false
-derived false
-keys map[1:1.459861712e+09]
-latest_version 1
-min_decryption_version 1
-name foo
+deletion_allowed false
+derived false
+keys map[1:1484070923]
+latest_version 1
+min_decryption_version 1
+name foo
+supports_decryption true
+supports_derivation true
+supports_encryption true
+supports_signing false
+type aes256-gcm96
````
Now, if we wanted to encrypt a piece of plain text, we use the encrypt
@@ -153,7 +157,7 @@ only encrypt or decrypt using the named keys they need access to.
`aes256-gcm96`: AES-256 wrapped with GCM using a 12-byte nonce size (symmetric)
`ecdsa-p256`: ECDSA using the P-256 elliptic curve (asymmetric)
- Defaults to `aes256-gcm`.
+ Defaults to `aes256-gcm96`.
derived
@@ -220,7 +224,11 @@ only encrypt or decrypt using the named keys they need access to.
"1": 1442851412
},
"min_decryption_version": 0,
- "name": "foo"
+ "name": "foo",
+ "supports_encryption": true,
+ "supports_decryption": true,
+ "supports_derivation": true,
+ "supports_signing": false
}
}
```